Day Pitney’s Healthcare Law Blog provides regular updates on issues affecting all aspects of the healthcare industry. In this era of ever-increasing regulation, we monitor healthcare news and developments from all federal and state agencies, as well as significant court decisions and public policy initiatives. We cut through the jargon and give our clients and other readers what they need to know in a concise, no-nonsense style to save them time while helping them stay informed.

The Department of Health and Human Services Office for Civil Rights (OCR) recently released a document entitled “Guidance on HIPAA & Cloud Computing” which puts to rest any questions on whether cloud service providers are business associates (BAs) under HIPAA.

The October 6 guidance confirms that a cloud service provider becomes a BA whenever it receives or stores electronic protected health information (ePHI) from a covered entity or BA - even if it handles only encrypted ePHI and does not hold the key to decrypt the data. Therefore, covered entities and BAs are required to enter into HIPAA-compliant business associate agreements with cloud providers, who are directly liable for compliance with applicable HIPAA requirements.

OCR stressed the importance of a covered entity or BA understanding a cloud provider’s computing environment in order to be able to appropriately conduct its own risk analysis and establish any management policies that may be required. It remains to be seen how open cloud service providers will be to providing the necessary information to conduct such a risk assessment.